A directory service is a collection of software, hardware, policies, and administrative procedures involved in making information stored in an associated directory accessible to entities requiring the information such as users, applications, etc. The directory service generally includes at least one instance of a directory server and one or more clients. The directory server may provide a centralized directory service for an intranet or extranet while integrating with existing systems.
More specifically, the directory server typically includes (or is operatively connected to) a general-purpose directory that stores all information in a single, network-accessible repository. The directory server provides a standard protocol and application programming interface (API) to access the information contained in the directory. Further, the directory server provides global directory services, meaning that information is provided to a wide variety of applications. As previously mentioned, the global directory service provides a single, centralized repository of directory information that any application can access. However, given the wide variety of entities (e.g., users, applications, etc.) that may access the directory, the directory requires a network-based means of uniformly communicating with the wide variety of entities. The directory may use a Lightweight Directory Access Protocol (LDAP) or some other database protocol (e.g. Directory Access Protocol, DMSL, etc.) to provide the aforementioned functionality.
LDAP is an on-the-wire bit protocol that runs over Transmission Control Protocol/Internet Protocol (TCP/IP). LDAP creates a standard way for entities (e.g., users, applications, etc.) to request and manage information stored in the directory. An LDAP-compliant directory leverages a single, master directory that owns all user, group, and access control information. The directory is hierarchical, not relational, and is optimized for reading, reliability, and scalability. This directory becomes the specialized, central repository that contains information about objects and provides user, group, and access control information to all entities (e.g., users, applications, etc.) on the network. For example, the directory can be used to provide information technology managers with a list of all the hardware and software assets in a widely spanning enterprise. Further, instead of creating an account for each user in each system the user needs to access, a single directory entry is created for the user in the LDAP directory. Client(s) can access names, phone numbers, addresses, and other data stored in the directory.
LDAP-compliant directory servers typically have nine basic protocol operations, which can be divided into three categories. The first category is query operations, which include search and compare operators. These query operations allow questions to be asked of the directory. The LDAP search operation is used to search the directory for entries and retrieve individual directory entries. The retrieval of entries from the directory (via the directory server) typically results in the entire entry being forwarded to the requesting client. The client may then subsequently perform additional operations of the retrieved entries to extract relevant information from the retrieved entries. Note that no separate LDAP read operation exists.
The second category is update operations, which include add, delete, modify, and modify distinguished name (DN), i.e., rename, operators. A DN is a unique, unambiguous name of an entry in LDAP. These update operations allow the update of information in the directory. The third category is authentication and control operations, which include bind, unbind, and abandon operations. The bind operation allows a client to identify itself to the directory by providing an identity and authentication credentials. The DN and a set of credentials are sent by the client to the directory. The server checks whether the credentials are correct for the given DN and, if the credentials are correct, notes that the client is authenticated as long as the connection remains open or until the client re-authenticates. The unbind operation allows a client to terminate a session. When the client issues an unbind operation, the server discards any authentication information associated with the client connection, terminates any outstanding LDAP operations, and disconnects from the client, thus closing the TCP connection. The abandon operation allows a client to indicate that the result of an operation previously submitted is no longer of interest. Upon receiving an abandon request, the server terminates processing of the operation that corresponds to the message ID.
In addition to the three main groups of operations, the LDAP protocol defines a framework for adding new operations to the protocol via LDAP extended operations. Extended operations allow the protocol to be extended in an orderly manner to meet new marketplace needs as they emerge.